91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41

Analysis

max time kernel
136s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2022 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe
Size

245KB
MD5

5589c07b336229bd2dea6454fdd3b021
SHA1

cb9fa24d6b48cf65b221df6ffea609f7d5b2185a
SHA256

91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41
SHA512

dbef20203045272d658f7deb538a499a1d66d91ff249e3fca51c95fd910c96ade48df1ac9894252a40211ddf9ed0947c28e937add3306a715e03149c8c72a8c2
SSDEEP

384:lrILE1H+CHkFXP4WGzvsuj8Sf5dCuEMa/qunCmtJdh5R555Di:lIWeCHs6bdCjquRr5R555W

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2832	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe
3984	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe
3796	KynXN1.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	KynXN1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1048 set thread context of 820	1048	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe	87
PID 2832 set thread context of 3984	2832	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3740	powershell.exe
3740	powershell.exe
3984	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe
3984	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe
848	powershell.exe
848	powershell.exe
3292	powershell.exe
3292	powershell.exe
3984	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe
3984	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe
3984	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe
3984	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe
Token: SeDebugPrivilege	820	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	2832	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe
Token: SeDebugPrivilege	3984	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	3292	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 820	1048	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe	87
PID 1048 wrote to memory of 820	1048	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe	87
PID 1048 wrote to memory of 820	1048	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe	87
PID 1048 wrote to memory of 820	1048	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe	87
PID 1048 wrote to memory of 820	1048	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe	87
PID 1048 wrote to memory of 820	1048	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe	87
PID 820 wrote to memory of 3740	820	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe	89
PID 820 wrote to memory of 3740	820	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe	89
PID 2832 wrote to memory of 3984	2832	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe	92
PID 2832 wrote to memory of 3984	2832	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe	92
PID 2832 wrote to memory of 3984	2832	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe	92
PID 2832 wrote to memory of 3984	2832	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe	92
PID 2832 wrote to memory of 3984	2832	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe	92
PID 2832 wrote to memory of 3984	2832	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe	92
PID 3984 wrote to memory of 848	3984	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe	93
PID 3984 wrote to memory of 848	3984	91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe	93
PID 848 wrote to memory of 3796	848	powershell.exe	95
PID 848 wrote to memory of 3796	848	powershell.exe	95
PID 3796 wrote to memory of 3292	3796	KynXN1.exe	96
PID 3796 wrote to memory of 3292	3796	KynXN1.exe	96

C:\Users\Admin\AppData\Local\Temp\91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe
"C:\Users\Admin\AppData\Local\Temp\91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe
  C:\Users\Admin\AppData\Local\Temp\91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACAAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3740

C:\Users\Admin\AppData\Roaming\91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe
C:\Users\Admin\AppData\Roaming\91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Users\Admin\AppData\Roaming\91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe
  C:\Users\Admin\AppData\Roaming\91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAEsAeQBuAFgATgAxAC4AZQB4AGUAIgA=
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Users\Admin\AppData\Local\Temp\KynXN1.exe
      "C:\Users\Admin\AppData\Local\Temp\KynXN1.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe.log

Filesize
1KB

MD5
165bccf3bb1841eaf1a73ff52d65f59e

SHA1
8450f78886ff5ee9f0a1590582ed455624ae7eca

SHA256
d063952c091e25214469458e65b33da9ef9b413ede9cc2b8a5c28970bb1a5b69

SHA512
519d9ffd811bea83a16c234e25172ea186932c45b7004a309d536d0b3b465cc9c3409afc0fdf481fa215a395e305bbb5f2e209f6e0139875d710f23ff38fd5a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1f0f8c49b22409ca78499f5df1ce9456

SHA1
5300f7ed636959c8c8366418e891dbe49a3edba9

SHA256
429128efcec165baf50a81021e610933e1020f5298d865f7b30daf370fb22014

SHA512
ca976a7ab0ef4782c3003433e8d99d34d8060cb3a8790e787b56db1e207902b9dd15ecb6e76fecbd00f5e83a8add34329b25f86b90c62055f0d0d1de5607d2af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KynXN1.exe

Filesize
2.7MB

MD5
324e7a91b3f7291bca9a15ae827e5619

SHA1
d3b1051e21dc90dfab48e7562e3241940a3ba8fb

SHA256
02aeff4e07664864d428440cab4be050ddc1504ff997ce0fef7068899139318d

SHA512
f09b6476da8d526e10df015fa09c0fe710725aff3f8a4cda87f449121f6a61f03a9cb48e602d7a67172d99bab7814e08c45654447ff31429d046bd74beeb4c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\KynXN1.exe

Filesize
2.7MB

MD5
324e7a91b3f7291bca9a15ae827e5619

SHA1
d3b1051e21dc90dfab48e7562e3241940a3ba8fb

SHA256
02aeff4e07664864d428440cab4be050ddc1504ff997ce0fef7068899139318d

SHA512
f09b6476da8d526e10df015fa09c0fe710725aff3f8a4cda87f449121f6a61f03a9cb48e602d7a67172d99bab7814e08c45654447ff31429d046bd74beeb4c88

Download Submit
C:\Users\Admin\AppData\Roaming\91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe

Filesize
245KB

MD5
5589c07b336229bd2dea6454fdd3b021

SHA1
cb9fa24d6b48cf65b221df6ffea609f7d5b2185a

SHA256
91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41

SHA512
dbef20203045272d658f7deb538a499a1d66d91ff249e3fca51c95fd910c96ade48df1ac9894252a40211ddf9ed0947c28e937add3306a715e03149c8c72a8c2

Download Submit
C:\Users\Admin\AppData\Roaming\91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe

Filesize
245KB

MD5
5589c07b336229bd2dea6454fdd3b021

SHA1
cb9fa24d6b48cf65b221df6ffea609f7d5b2185a

SHA256
91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41

SHA512
dbef20203045272d658f7deb538a499a1d66d91ff249e3fca51c95fd910c96ade48df1ac9894252a40211ddf9ed0947c28e937add3306a715e03149c8c72a8c2

Download Submit
C:\Users\Admin\AppData\Roaming\91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41.exe

Filesize
245KB

MD5
5589c07b336229bd2dea6454fdd3b021

SHA1
cb9fa24d6b48cf65b221df6ffea609f7d5b2185a

SHA256
91af42153fd29d18e2983570aa5d627a7c7eef9c80c330a0acebb89fd6a2ba41

SHA512
dbef20203045272d658f7deb538a499a1d66d91ff249e3fca51c95fd910c96ade48df1ac9894252a40211ddf9ed0947c28e937add3306a715e03149c8c72a8c2

Download Submit
memory/820-141-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/820-146-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/820-136-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/820-140-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/848-164-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/848-159-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/1048-132-0x0000014513E80000-0x0000014513EC2000-memory.dmp

Filesize
264KB

Download
memory/1048-139-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/1048-133-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/1048-134-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/1048-135-0x000001452F210000-0x000001452F232000-memory.dmp

Filesize
136KB

Download
memory/2832-153-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/2832-149-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/2832-147-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3292-168-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3292-170-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3740-143-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3740-148-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3796-163-0x000001A0BAFF0000-0x000001A0BB29A000-memory.dmp

Filesize
2.7MB

Download
memory/3796-165-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3796-169-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3984-155-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3984-154-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download